Security Alert question

[countrycharm]

DrByte you said

2. The following fix applies only to v1.3.0 thru v1.3.8a:

Depending on what version, this section can be found around line 1650 up to line 1720:
Simply change the $prodId= line to match what is shown below:

function actionMultipleAddProduct($goto, $parameters) {
global $messageStack;
if (is_array($_POST['products_id']) && sizeof($_POST['products_id']) > 0) {
while ( list( $key, $val ) = each($_POST['products_id']) ) {
if ($val > 0) {
$adjust_max = false;
$prodId = ereg_replace('[^0-9a-f:]', '', $key);
$qty = $val;
$add_max = zen_get_products_quantity_order_max($prodId);

...

My question is around line 1720 in the /includes/classes/shopping_cart.php for v1.3.8a:This is the code you need for us to change, so does all the rest of the code stay in place like it is or what.

function actionMultipleAddProduct($goto, $parameters) {
global $messageStack;
if (is_array($_POST['products_id']) &&
sizeof($_POST['products_id']) > 0) {
foreach($_POST['products_id'] as $key=>$val) {
// while ( list( $key, $val ) = each($_POST['products_id']) ) {
if ($val > 0) {
$adjust_max = false;
$prodId = ereg_replace('[^0-9a-f:]', '', $key);
$qty = $val;
$add_max = zen_get_products_quantity_order_max($prodId);
$cart_qty = $this->in_cart_mixed($prodId);
// $new_qty = $qty;
//echo 'I SEE actionMultipleAddProduct: ' . $prodId . '<br>';
$new_qty = $this->adjust_quantity($qty, $prodId, 'shopping_cart');

Thank you in advance

[DrByte]

I said:

Simply change the $prodId= line to match what is shown below

Just change the one line. Don't touch anything else unless you want to make problems for yourself.

[countrycharm]

Thank you for clarifying that for me. I don't know why I did not get it the first time. I understand now. Thanks again.

[rstar23]

I noticed that there is a difference in the code of shopping_cart.php between the post with the fix from Dr. Byte and what is shown in this example. For instance in Dr. Byte's post, the flisting from the final part of the shows as

function actionMultipleAddProduct($goto, $parameters) {
global $messageStack;
if (is_array($_POST['products_id']) && sizeof($_POST['products_id']) > 0) {
while ( list( $key, $val ) = each($_POST['products_id']) ) {
if ($val > 0) {
$adjust_max = false;
$prodId = ereg_replace('[^0-9a-f:]', '', $key);
$qty = $val;
$add_max = zen_get_products_quantity_order_max($prodId);

Notice that the line containing 'while ( list ... ' is NOT commeted out.

In my version of shopping_cart.php it looks like this

function actionMultipleAddProduct($goto, $parameters) {
global $messageStack;
if (is_array($_POST['products_id']) &&
sizeof($_POST['products_id']) > 0) {
foreach($_POST['products_id'] as $key=>$val) {
// while ( list( $key, $val ) = each($_POST['products_id']) ) {
if ($val > 0) {
$adjust_max = false;
$prodId = ereg_replace('[^0-9a-f:]', '', $key);
$qty = $val;
$add_max = zen_get_products_quantity_order_max($prodId);
$cart_qty = $this->in_cart_mixed($prodId);
// $new_qty = $qty;
//echo 'I SEE actionMultipleAddProduct: ' . $prodId . '<br>';
$new_qty = $this->adjust_quantity($qty, $prodId, 'shopping_cart');

Not only is the line containing 'while ( list....' commented out, there are also some extra lines.

I am running 1.3.8a and the includes/classes/shopping_cart.php is dated 10/23/2007.

When I apply the fix, I just get blank pages.

What is the correct version of shopping_cart.php?

[DrByte]

Just changing the one line mentioned should suffice, regardless what's around it.

Perhaps your text editor is damaging the file?

[rstar23]

Just changing the one line mentioned should suffice, regardless what's around it.

Perhaps your text editor is damaging the file?

Well, I got it to work.

I went back to the start and manually entered the various lines. Previously I had done a copy-paste on the $progID line in part 2 of the fix - this time I typed it in. I used the same text editor, PFE. Am guessing something got hosed when I did the copy-paste. Haven't had that happen before ;>

Thanks for your help - I do appreciate it.

Rich